From commits-return-16725-apmail-cxf-commits-archive=cxf.apache.org@cxf.apache.org Thu Nov 3 11:57:23 2011 Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 60AC67C1C for ; Thu, 3 Nov 2011 11:57:23 +0000 (UTC) Received: (qmail 52009 invoked by uid 500); 3 Nov 2011 11:57:23 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 51964 invoked by uid 500); 3 Nov 2011 11:57:23 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 51957 invoked by uid 99); 3 Nov 2011 11:57:23 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Nov 2011 11:57:23 +0000 X-ASF-Spam-Status: No, hits=-1994.3 required=5.0 tests=ALL_TRUSTED,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Nov 2011 11:57:20 +0000 Received: from thor (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id pA3Bv0fa028890 for ; Thu, 3 Nov 2011 11:57:00 GMT Date: Thu, 3 Nov 2011 07:57:00 -0400 (EDT) From: confluence@apache.org To: commits@cxf.apache.org Message-ID: <26826922.26644.1320321420023.JavaMail.confluence@thor> Subject: [CONF] Apache CXF Documentation > JAX-RS XML Security MIME-Version: 1.0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Auto-Submitted: auto-generated

JAX-RS XML Security

Page edited by Sergey Beryozkin


Changes (12)

=20 =20
=20 <= /tr> =20
{span:style=3Dfont-size:2= em;font-weight:bold} JAX-RS: XML = Security {span}


...
h1. Maven dependencies
<= br>
{code:xml}
<dependency>
<groupId>org.apache.cxf= </groupId>
<artifactId>cxf-rt-rs-security-xml</artifac= tId>
<version>2.5.0</version>
</dependency> =
{code}

h1. XML Signature

...
{code}

Note that the Book root element is signed including its name and id c= hildren, and a signature ds:Reference links to Book.

Server Configuration fragment= :

...
XmlSigOutInterceptor sigInter= ceptor =3D new XmlSigOutInterceptor();
bean.getOutInterceptors().add(si= gInterceptor);

// load a bus with HTTPS configuration:
SpringBusFactory bf = =3D new SpringBusFactory();
Bus bus =3D bf.createBus(configLocation); <= br>bean.setBus(bus);

// use WebClient (or pro= xy) as usual
...

Spring configuration can= also be used.
Please also check [Secure= JAX-RS Services] on how HTTPS can be co= nfigured = from Spring.

h2. Enveloping signature= s
...
{code}

This time the signature is enveloping the Book element using a ds:Obj= ect wrapper which ds:Reference links to.

Server Configuration fragment= is identical to the one shown in the Enveloped signatures section.
Client code is is nearly identical to the one shown in the En= veloped signatures section except that XmlSigOutInterceptor need to have an= additional property set:
{code:java}

...
{code}

Note that the whole payload = is enveloped by a configurable element wrapper, see the [JAX-RS SAML] secti= on for more about it. The Book instance is one part of the envelope and it&= #39;s signed by a detached signature. The envelope also has an embedded SAM= L assertion which is signed on its own.
Note that the whole payload is enveloped by a configurable element wr= apper. The Book instance is one part of the envelope and it's signed by= a detached signature (see the first ds:Signature, with its ds:Reference li= nking to Book). The envelope also has an embedded SAML assertion which has = its own enveloped signature.

The instance of org.apac= he.cxf.rs.security.xml.XmlSigInHandler will handle a detached XML signature= of the Book XML fragment on the server side. See the [JAX-RS SAML] for mor= e info on how to deal with SAML assertions.

Client code is is nearly identical to the one shown in the En= veloped signatures section except that XmlSigOutInterceptor need to have an= additional property set:

{code:java}
...

{code}

h2. Customizing the signature

org.apache.cxf.rs.security.xml= .XmlSigOutInterceptor manages the creation of the signature on the client s= ide.
The following properties can be set on it at the moment:

= "style": possible values are "enveloped" (default), &qu= ot;enveloping" and "detached"
"envelopedName":= only used with the "detached" style, default is "\{http://o= rg.apache.cxf/rs/env}Envelope"
"signatureAlgorithm": def= ault is "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
"di= gestAlgorithm": default is "http://www.w3.org/2000/09/xmldsig#sha= 1"

h1. XML Encryption

Encrypting XML payloads makes it possible to drop a requirement = for HTTPS.

Here is a payload example:

{code:xml}
<= xenc:EncryptedData xmlns:xenc=3D"http://www.w3.org/2001/04/xmlenc#&quo= t;>
<xenc:EncryptionMethod Algorithm=3D"http://www.w3.org/= 2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds=3D"= http://www.w3.org/2000/09/xmldsig#">
<ds:RetrievalMethod= Type=3D"http://www.w3.org/2001/04/xmlenc#EncryptedKey"/>
= <xenc:EncryptedKey Id=3D"EK-B353DDCEE7C575B6A213203188664772&qu= ot;>
<xenc:EncryptionMethod Algorithm=3D"http://www.w3= .org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<ds:KeyInfo>= ;
<ds:X509Data>
<ds:X509Certifi= cate><!-- Omitted for brewity --></ds:X509Certificate>
= </ds:X509Data>
</ds:KeyInfo>
= <xenc:CipherData><xenc:CipherValue>tPtZz4pnVWquaV2a7O0y+VrHoeWw= k3Eu5Jnu3RHz5rGDB/MLyG6rBamhit03J2xWaV52zUtDAPEj8sr4oy5y2KLB09Hu317IbQjineP= abUpd+DLnwNn5iHZpHWJPfndkh07JdYZSrMwqOvJ3fqrNJ+LQeLzZDneT8sC1vRyhSDU=3D<= /xenc:CipherValue>
</xenc:CipherData>
</xen= c:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData> =
<xenc:CipherValue>3ZPQ3SapAxemJwqG58sWh+r8B5SMRf/DZ2w/REswgl= 0zr8kpk0x4tayC5hl7IbSE8CPQYYHX8sXVnUFUoHOtJA=3D=3D</xenc:CipherValue>=
</xenc:CipherData>
</xenc:EncryptedData>
{code} =

Here is a server configuration fragment:

{code:xml}
= <bean id=3D"serviceBean" class=3D"org.apache.cxf.systest.= jaxrs.security.BookStore"/>
<bean id=3D"xmlSigHandler&q= uot; class=3D"org.apache.cxf.rs.security.xml.XmlSigInHandler"/>= ;

<bean id=3D"xmlEncHandler" class=3D"org.apache= .cxf.rs.security.xml.XmlEncInHandler"/>

<jaxrs:server a= ddress=3D"/xmlsig">
<jaxrs:serviceBeans>
= <ref bean=3D"serviceBean"/>
</jaxrs:serviceB= eans>
<jaxrs:providers>
<ref bean=3D"xm= lEncHandler"/>
<ref bean=3D"xmlSigHandler"/= >
</jaxrs:providers>
<jaxrs:properties> <entry key=3D"ws-security.callback-handler"
= value=3D"org.apache.cxf.systest.jaxrs.security.saml.= KeystorePasswordCallback"/>
<entry key=3D"ws= -security.encryption.properties"
value=3D"= org/apache/cxf/systest/jaxrs/security/bob.properties"/>
= <entry key=3D"ws-security.signature.properties"
= value=3D"org/apache/cxf/systest/jaxrs/security/alice.prop= erties"/>
</jaxrs:properties>
</jaxrs= :server>

{code}

This configuration supports receiving = signed and then encrypted XML payloads.

The code:

{code:j= ava}
String address =3D "https://localhost:8080/xmlencryption/book= store/books";
JAXRSClientFactoryBean bean =3D new JAXRSClientFacto= ryBean();
bean.setAddress(address);

// setup properties
Ma= p<String, Object> properties =3D new HashMap<String, Object>();=

properties.put("ws-security.callback-handler",
= "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswo= rdCallback");
properties.put("ws-security.encryption.username= ", "bob");
properties.put("ws-security.encryption.p= roperties",
"org/apache/cxf/systest/j= axrs/security/bob.properties");

// if signature required: properties.put("ws-security.signature.username", "alice&qu= ot;);
properties.put("ws-security.signature.properties", "org/apache/cxf/systest/jaxrs/security/alice.propertie= s");

bean.setProperties(properties);

// if signature= required: add the interceptor dealing with adding a signature
XmlSigOu= tInterceptor sigInterceptor =3D new XmlSigOutInterceptor();
bean.getOut= Interceptors().add(sigInterceptor);

// add the interceptor dealing= with the encryption

XmlEncOutInterceptor encInterceptor =3D new X= mlEncOutInterceptor();
encInterceptor.setSymmetricEncAlgorithm("ht= tp://www.w3.org/2001/04/xmlenc#aes128-cbc");
bean.getOutIntercepto= rs().add(encInterceptor);


// use WebClient (or proxy) as usua= l
WebClient wc =3D bean.createWebClient();
Response r =3D wc.post(n= ew Book("CXF", 126L), Book.class);
assertEquals(200, r.getSta= tus());
{code}

Note that XmlEncOutInterceptor interceptor has = a "symmetricEncAlgorithm" property set to a weaker type just to g= et CXF tests passing.

The actual application client code does not = expect a payload such as Book back but if it did then configuring the serve= r to encrypt the response would be straightforward:

{code:xml} <bean id=3D"serviceBean" class=3D"org.apache.cxf.systest= .jaxrs.security.BookStore"/>
<bean id=3D"xmlSigHandler&= quot; class=3D"org.apache.cxf.rs.security.xml.XmlSigInHandler"/&g= t;

<bean id=3D"xmlEncHandler" class=3D"org.apach= e.cxf.rs.security.xml.XmlEncInHandler"/>

<bean id=3D&qu= ot;xmlEncOutHandler" class=3D"org.apache.cxf.rs.security.xml.XmlE= ncOutInterceptor">
<property name=3D"symmetricE= ncAlgorithm" value=3D"aes128-cbc"/>
</bean>
<jaxrs:server address=3D"/xmlsig">
<jaxrs= :serviceBeans>
<ref bean=3D"serviceBean"/> </jaxrs:serviceBeans>
<jaxrs:providers>
= <ref bean=3D"xmlEncHandler"/>
<ref bean=3D&q= uot;xmlSigHandler"/>
</jaxrs:providers>
<= jaxrs:outInterceptors>
<ref bean=3D"xmlEncOutHandler= "/>
</jaxrs:outInterceptors>
<jaxrs:prop= erties>
<entry key=3D"ws-security.callback-handler&= quot;
value=3D"org.apache.cxf.systest.jaxrs.sec= urity.saml.KeystorePasswordCallback"/>
<entry key= =3D"ws-security.encryption.properties"
val= ue=3D"org/apache/cxf/systest/jaxrs/security/bob.properties"/> =
</jaxrs:properties>
</jaxrs:server>
{code}
Note the addition of a bean with id "xmlEncOutHandler", th= is example also shows that the encryption properties can be used to validat= e the incoming signature as well which just simplifies the configuration a = bit. Now the client code can be updated to expect an ecryped Book back:
{code:java}
String address =3D "https://localhost:8080/xmlen= cryption/bookstore/books";
JAXRSClientFactoryBean bean =3D new JAX= RSClientFactoryBean();
bean.setAddress(address);

// setup prop= erties
Map<String, Object> properties =3D new HashMap<String, = Object>();

properties.put("ws-security.callback-handler&qu= ot;,
"org.apache.cxf.systest.jaxrs.security.saml.K= eystorePasswordCallback");
properties.put("ws-security.encryp= tion.username", "bob");
properties.put("ws-security= .encryption.properties",
"org/apache/= cxf/systest/jaxrs/security/bob.properties");

bean.setProperti= es(properties);

// if signature required: add the interceptor deal= ing with adding a signature
XmlSigOutInterceptor sigInterceptor =3D new= XmlSigOutInterceptor();
bean.getOutInterceptors().add(sigInterceptor);=

// add the interceptor dealing with the encryption

XmlEn= cOutInterceptor encInterceptor =3D new XmlEncOutInterceptor();
encInter= ceptor.setSymmetricEncAlgorithm("http://www.w3.org/2001/04/xmlenc#aes1= 28-cbc");
bean.getOutInterceptors().add(encInterceptor);

=
// use WebClient (or proxy) as usual
WebClient wc =3D bean.createW= ebClient();
Book book =3D wc.post(new Book("CXF", 126L), Book= .class);
assertEquals("CXF", book.getName());
{code}
h2. Customizing the encryption

org.apache.cxf.rs.security.xm= l.XmlEncOutInterceptor manages the encryption process.
The following pr= operties can be set on it at the moment:
"symmetricEncAlgorithm&qu= ot;: default is "http://www.w3.org/2001/04/xmlenc#aes256-cbc", co= mplete URIs or short identifiers are supported, for example,
= "aes128-cbc" or "http://www.w3.org/2001/04/xm= lenc#aes256-cbc".
"keyEncAlgorithm": default is "h= ttp://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
"keyIdentifie= rType": default is "X509_KEY", "X509_ISSUER_SERIAL"= ; is also supported - useful when the whole x509Certificate should not be e= mbedded

Full Content

JAX-RS: XML Secu= rity

Introduction

CXF 2.5.0 introduces an initial support for securing JAX-RS clients and = endpoints with XML Signature and XML Encryptio= n.
This is a work in progress and the enhancements will be applied regularly. = Support for the alternative signature and encryption technologies will also= be provided in due time.

Maven dependencies<= /h1>
<dependency>
  <groupId>org.apache.cxf</groupId>
  <artifactId>cxf-rt-rs-security-xml<=
span class=3D"code-tag"></artifactId>
  <version>2.5.0</version>
</dependency>

XML Signature

XML Signature defines 3 types of signatures: enveloped,= enveloping and detached. All the three types are supported by CXF JAX-RS.<= /p>

Enveloped signatu= res

Payload:

<Book ID=3D"4bd59819=
-7b78-47a5-bb61-cc08348e9d48">
   <id>126&l=
t;/id>
   <name>CXF=
</name>

   <ds:Signature x=
mlns:ds=3D"http://www.w3.org/2000/09/xmld=
sig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm=
=3D"http://www.w3.org/TR/2001/REC-xml-c14n-20010=
315"/>
         <ds:SignatureMethod Algorithm=3D"http://www.w3.org/2000/09/xmldsig#rsa-sha1"/&g=
t;
         <ds:Reference URI=3D"#4bd59819-7b78-47a5-bb61-cc08348e9d48">
           <ds:Transforms>
             <ds:Transform Algorithm=3D"http://www.w3.org/2000/09/xmldsig#enveloped-signature"<=
/span>/>
             <ds:Transform Algorithm=3D"http://www.w3.org/2001/10/xml-exc-c14n#"/>
           </ds:Transforms>
           <ds:DigestMethod Algorithm=3D"http://www.w3.org/2000/09/xmldsig#sha1"/>
           <ds:DigestValue>eFduzs6Cg1=
/Wd6jagUmr8vRYxHY=3D</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
<ds:SignatureValue>DLD+wU85G+Q+H/SNoM=
r1I7tOCAZAjd3lYE84sBGU5tuMtzbwxKOIgg10g2F1SUbpujy1CZZ9BPkQNA+gA1CH4FE3uiBzp=
3DDSVv6o5l6Q76Ci0XI28ylO7O1OCY+q2nbP0WtERFWOn9f9nniVKbduz6YQHjv6cNLd8pf4+k2=
U3g=3D</ds:SignatureValue>

       <ds:KeyInfo>
         <ds:X509Data><ds:X509Certificate>MIICGjCCAYOgAwIBAgIESVRgATANBgkq=
hkiG9w0BAQUFADAzMRMwEQYDVQQKEwphcGFjaGUub3JnMQwwCgYDVQQLEwNlbmcxDjAMBgNVBAM=
TBWN4ZmNhMB4XDTcwMDEwMTAwMDAwMFoXDTM4MDExOTAzMTQwN1owMzETMBEGA1UEChMKYXBhY2=
hlLm9yZzEMMAoGA1UECxMDZW5nMQ4wDAYDVQQDEwVhbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBj=
QAwgYkCgYEAvu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNs=
oaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/i=
FkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzsCAwEAAaM7MDkwIQYDVR0SBBowGIIWTk9UX0ZPUl9QUk=
9EVUNUSU9OX1VTRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQEFBQADgYEAhLwkm=
+8psKt4gnbikGzV0TgpSWGcWxWKBi+z8tI2n6hFA5v1jVHHa4G9h3s0nxQ2TewzeR/k7gmgV2sI=
483NgrYHmTmLKaDBWza2pAuZuDhQH8GAEhJakFtKBP++EC9rNNpZnqqHxx3qb2tW25qRtBzDmK9=
21gg9PMomMc7uqRQ=3D</ds:X509Certificate>
        </ds:X509Data>

        <ds:KeyValue>
          <ds:RSAKeyValue>
             <ds:Modulus>vu747/VShQ85=
f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfB=
EfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1=
BQCQE0qzs=3D</ds:Modulus>
             <ds:Exponent>AQAB</ds:Exponent>
          </ds:RSAKeyValue>
        </ds:KeyValue>
       </ds:KeyInfo>
     </ds:Signature>

</Book>

Note that the Book root element is signed including its name and id chil= dren, and a signature ds:Reference links to Book.

Server Configuration fragment:


<bean id=3D"serviceB=
ean" class=3D"org.apache.cxf.systest.jaxr=
s.security.BookStore"/>
<bean id=3D"xmlSigHa=
ndler" class=3D"org.apache.cxf.rs.securit=
y.xml.XmlSigInHandler"/>

<jaxrs:server address=3D"/xmlsig">=20
    <jaxrs:serviceBeans>
      <ref bean=3D"s=
erviceBean"/>
    </jaxrs:serviceBeans>
    <jaxrs:providers>
      <ref bean=3D"x=
mlSigHandler"/>
    </jaxrs:providers>=20
    <jaxrs:properties>
        <entry key=3D"ws-security.signature.p=
roperties"=20
              value=3D"org/apache/cxf/systest/ja=
xrs/security/alice.properties"/>
    </jaxrs:properties>=20
</jaxrs:server>

Note that org.apache.cxf.rs.security.xml.XmlSigInHandler is capable of p= rocessing all 3 types of XML Signature.

Client code:


String address =3D "https://localhost:8080/xmlsig/bookstore=
/books";
JAXRSClientFactoryBean bean =3D new JAXRSClientFactoryBean();
bean.setAddress(address);

// setup properties
Map<String, Object> properties =3D new=
 HashMap<String, Object>();
properties.put("ws-security.callback-handler",=20
               "org.apache.cxf.systest.jaxrs.sec=
urity.saml.KeystorePasswordCallback");
properties.put("ws-security.signature.username"<=
/span>, "alice");
properties.put("ws-security.signature.properties=
",=20
               "org/apache/cxf/systest/jaxrs/sec=
urity/alice.properties");
bean.setProperties(properties);

// add the interceptor dealing with adding a s=
ignature
XmlSigOutInterceptor sigInterceptor =3D new XmlSigOutInterceptor();
bean.getOutInterceptors().add(sigInterceptor);

// load a bus with HTTPS configuration:
SpringBusFactory bf =3D new Spri=
ngBusFactory();
Bus bus =3D bf.createBus(configLocation);
bean.setBus(bus);
       =20
// use WebClient (or proxy) as usual
WebClient wc =3D bean.createWebClient();
Book book =3D wc.post(new Book("CXF", 126L), Book.class);

Spring configuration can also be used.
Please also check Secure JAX-RS Services on h= ow HTTPS can be configured from Spring.

Enveloping signa= tures

Payload:

<ds:Signature xmln=
s:ds=3D"http://www.w3.org/2000/09/xmldsig=
#">
   <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm=3D"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"<=
/span>/>
      <ds:SignatureMethod Algorithm=3D"http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><=
/span>
      <ds:Reference URI=3D"#88e688e6-6512-406f-9e88-a58e5d781ff0">
        <ds:Transforms>
           <ds:Transform Algorithm=3D"http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm=3D"http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>Cq3zl3t3DqWTv=
uZ+4EtZgGs4ikk=3D</ds:DigestValue>
      </ds:Reference>
   </ds:SignedInfo><ds:SignatureValue>NvcCS8vx3YJkc8fHMf8bQkC+lwasC6CwiS7H=
fKSm8t+6TtYdM7TRbYxSuqfCTkF4vBIldWIzl6UngON592FfJdbvrgE2CusCkIybrP7BBmP7zTS=
V0GjH4/60L6ObkhGPkMNoKzw4V+zgF7Zo+F7ngsz5ZUWZX/GWETmTtYtcfT0=3D</ds:SignatureValue>
   <ds:KeyInfo>
     <ds:X509Data>
       <ds:X509Certificate><!-- Omitted for brewity--&g=
t;</ds:X509Certificate>
     </ds:X509Data>
     <ds:KeyValue>
      <ds:RSAKeyValue><ds:Modulus>vu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9=
XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7=
p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzs=3D</ds:Modulus>
       <ds:Exponent>AQAB</ds:Exponent>
      </ds:RSAKeyValue>
     </ds:KeyValue>
   </ds:KeyInfo>
   <ds:Object ID=3D"=
88e688e6-6512-406f-9e88-a58e5d781ff0">

      <Book>
         <id>126</id>
         <name>CXF</name>
      </Book>
   </ds:Object>
</ds:Signature>

This time the signature is enveloping the Book element using a ds:Object= wrapper which ds:Reference links to.

Server Configuration fragment is identical to the one shown in the Envel= oped signatures section.

Client code is nearly identical to the one shown in the Enveloped signat= ures section except that XmlSigOutInterceptor need to have an additional pr= operty set:


// add the interceptor dealing with adding a s=
ignature
XmlSigOutInterceptor sigInterceptor =3D new XmlSigOutInterceptor();
sigInterceptor.setStyle("enveloping");

Detached signature= s

Payload:

<env:Envelope xmln=
s:env=3D"http://org.apache.cxf/rs/env">

  <Book ID=3D"e9836b=
c2-cb5a-453f-b967-a9ddbaf9a6de">
    <id>125&=
lt;/id>
    <name>CXF</name>
   </Book>
   <ds:Signature x=
mlns:ds=3D"http://www.w3.org/2000/09/xmld=
sig#">
     <ds:SignedInfo>
       <ds:CanonicalizationMethod Algorithm=3D<=
span class=3D"code-quote">"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"=
/>
       <ds:SignatureMethod Algorithm=3D"http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>=

       <ds:Reference URI=3D"#e9836bc2-cb5a-453f-b967-a9ddbaf9a6de">
         <ds:Transforms>
           <ds:Transform Algorithm=3D"http://www.w3.org/2001/10/xml-exc-c14n#"/>
         </ds:Transforms>
         <ds:DigestMethod Algorithm=3D"http://www.w3.org/2000/09/xmldsig#sha1"/>
         <ds:DigestValue>Pxz77Hlg6I/M=
RsJz4gixkaMFtYI=3D</ds:DigestValue>
       </ds:Reference>
     </ds:SignedInfo>
<ds:SignatureValue>JSwgiVqZT1EtJ9xqtb=
90juS54pvZguzFMne7cQyGMQDvBW7b65aAAIfVx/PmFB7Tuy4qB4zqNFCzCwHlhDurNP9NYB7PE=
zFsA3v3vSyEcHnpUhu41xmBvjT5HWEKbuzqX0dHekizuUefbfzG5WpluVPmOgjashrm9DIhfEf+=
Hyg=3D</ds:SignatureValue>
     <ds:KeyInfo>
      <ds:X509Data>
         <ds:X509Certificate><!--Omitted for Brewity--&=
gt;</ds:X509Certificate>
      </ds:X509Data>
      <ds:KeyValue>
        <ds:RSAKeyValue>
          <ds:Modulus>vu747/VShQ85f16=
DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfI=
qwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQC=
QE0qzs=3D</ds:Modulus>
          <ds:Exponent>AQAB</ds:Exponent>
        </ds:RSAKeyValue>
      </ds:KeyValue>
     </ds:KeyInfo>
   </ds:Signature>

    <saml2:Assertion xmlns:saml2=3D"urn:oasis:names:tc:SAML=
:2.0:assertion" xmlns:xs=3D"http://www.w3.org/2001/XMLSchema" xmlns:xsi=3D"http://www=
.w3.org/2001/XMLSchema-instance" ID=3D"_E=
462768C678896CE9913202742137181" IssueInstant=3D"2011-11-02T22:50:13.718Z" Version=3D"2.0" xsi:type=3D"saml2:AssertionType"=
>

<saml2:Issuer>https://idp.example.org=
/SAML2</saml2:Issuer>

<ds:Signature xmln=
s:ds=3D"http://www.w3.org/2000/09/xmldsig=
#">
 <!--=20
    Enveloped/embedded SAML Assertion XML Signature is omitted for brewity
    See the JAX-RS SAML section for more info
 -->
</ds:Signature>
<!-- the rest of S=
AML assertion -->
</saml2:Assertion>
</env:Envelope>

Note that the whole payload is enveloped by a configurable element wrapp= er. The Book instance is one part of the envelope and it's signed by a deta= ched signature (see the first ds:Signature, with its ds:Reference linking t= o Book). The envelope also has an embedded SAML assertion which has its own= enveloped signature.

The instance of org.apache.cxf.rs.security.xml.XmlSigInHandler will hand= le a detached XML signature of the Book XML fragment on the server side. Se= e the JAX-RS SAML for more info on how to deal with SA= ML assertions.

Client code is nearly identical to the one shown in the Enveloped signat= ures section except that XmlSigOutInterceptor need to have an additional pr= operty set:


// add the interceptor dealing with adding a s=
ignature
XmlSigOutInterceptor sigInterceptor =3D new XmlSigOutInterceptor();
sigInterceptor.setStyle("detached");

Customizing t= he signature

org.apache.cxf.rs.security.xml.XmlSigOutInterceptor manages the creation= of the signature on the client side.
The following properties can be set on it at the moment:

"style": possible values are "enveloped" (default), "enveloping" and "de= tached"
"envelopedName": only used with the "detached" style, default is "{= http://org.apache.cxf/rs/env}Envelope"
"signatureAlgorithm": default is "http://www.w3.org/2000/09/xmldsig#rsa-sha= 1"
"digestAlgorithm": default is "http://www.w3.org/2000/09/xmldsig#sha1"

XML Encryption

Encrypting XML payloads makes it possible to drop a requirement for HTTP= S.

Here is a payload example:

<xenc:EncryptedData xmlns:xenc=3D"http://www.w3.org/2001/04=
/xmlenc#">
  <xenc:EncryptionMethod Algorithm=3D"http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><=
/span>
  <ds:KeyInfo xmln=
s:ds=3D"http://www.w3.org/2000/09/xmldsig=
#">
    <ds:RetrievalMethod Type=3D"http://www.w3.org/2001/04/xmlenc#EncryptedKey"/>
    <xenc:EncryptedKey Id=3D"EK-B353DDCEE7C575B6A213203188664772">
      <xenc:EncryptionMethod Algorithm=3D"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
        <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate><!-- Omitted for bre=
wity --></ds:X509Certificate&g=
t;
           </ds:X509Data>
        </ds:KeyInfo>
        <xenc:CipherData><xenc:CipherValue>tPtZz4pnVWquaV2a7O0y+VrHoeWwk3=
Eu5Jnu3RHz5rGDB/MLyG6rBamhit03J2xWaV52zUtDAPEj8sr4oy5y2KLB09Hu317IbQjinePab=
Upd+DLnwNn5iHZpHWJPfndkh07JdYZSrMwqOvJ3fqrNJ+LQeLzZDneT8sC1vRyhSDU=3D</xenc:CipherValue>
        </xenc:CipherData>
    </xenc:EncryptedKey>
  </ds:KeyInfo>
  <xenc:CipherData>
     <xenc:CipherValue>3ZPQ3SapAxemJw=
qG58sWh+r8B5SMRf/DZ2w/REswgl0zr8kpk0x4tayC5hl7IbSE8CPQYYHX8sXVnUFUoHOtJA=3D=
=3D</xenc:CipherValue>
  </xenc:CipherData>
</xenc:EncryptedData>
=20

Here is a server configuration fragment:

<bean id=3D"serviceB=
ean" class=3D"org.apache.cxf.systest.jaxr=
s.security.BookStore"/>
<bean id=3D"xmlSigHa=
ndler" class=3D"org.apache.cxf.rs.securit=
y.xml.XmlSigInHandler"/>

<bean id=3D"xmlEncHa=
ndler" class=3D"org.apache.cxf.rs.securit=
y.xml.XmlEncInHandler"/>
   =20
<jaxrs:server address=3D"/xmlsig">=20
    <jaxrs:serviceBeans>
      <ref bean=3D"s=
erviceBean"/>
    </jaxrs:serviceBeans>
    <jaxrs:providers>
       <ref bean=3D"=
xmlEncHandler"/>
       <ref bean=3D"=
xmlSigHandler"/>
    </jaxrs:providers>=20
     <jaxrs:properties>
           <entry key=3D"ws-security.callback=
-handler"=20
                  value=3D"org.apache.cxf.systes=
t.jaxrs.security.saml.KeystorePasswordCallback"/>
           <entry key=3D"ws-security.encrypti=
on.properties"=20
                  value=3D"org/apache/cxf/systes=
t/jaxrs/security/bob.properties"/>
           <entry key=3D"ws-security.signatur=
e.properties"=20
                  value=3D"org/apache/cxf/systes=
t/jaxrs/security/alice.properties"/>      =20
     </jaxrs:properties>=20
</jaxrs:server>

This configuration supports receiving signed and then encrypted XML payl= oads.

The code:

String address =3D "https://localhost:8080/xmlencryption/bo=
okstore/books";
JAXRSClientFactoryBean bean =3D new JAXRSClientFactoryBean();
bean.setAddress(address);

// setup properties
Map<String, Object> properties =3D new=
 HashMap<String, Object>();

properties.put("ws-security.callback-handler",=20
               "org.apache.cxf.systest.jaxrs.sec=
urity.saml.KeystorePasswordCallback");
properties.put("ws-security.encryption.username"=
, "bob");
properties.put("ws-security.encryption.propertie=
s",=20
                       "org/apache/cxf/systest/j=
axrs/security/bob.properties");

// if sign=
ature required:=20
properties.put("ws-security.signature.use=
rname", "alice");
properties.put("ws-security.signature.properties=
",=20
               "org/apache/cxf/systest/jaxrs/sec=
urity/alice.properties");

bean.setProperties(properties);

// if sign=
ature required: add the interceptor dealing with adding a signature
XmlSigOutInterceptor sigInterceptor =3D new XmlSigOutInterceptor();
bean.getOutInterceptors().add(sigInterceptor);

// add the interceptor dealing with the encryp=
tion

XmlEncOutInterceptor encInterceptor =3D new XmlEncOutInterceptor();
encInterceptor.setSymmetricEncAlgorithm("http://www.w3.org/2001/04/xmlenc#aes128-cbc");
bean.getOutInterceptors().add(encInterceptor);

      =20
// use WebClient (or proxy) as usual
WebClient wc =3D bean.createWebClient();
Response r =3D wc.post(new Book("CXF", 126L), Book.class);
assertEquals(200, r.getStatus());

Note that XmlEncOutInterceptor interceptor has a "symmetricEncAlgorithm"= property set to a weaker type just to get CXF tests passing.

The actual application client code does not expect a payload such as Boo= k back but if it did then configuring the server to encrypt the response wo= uld be straightforward:

<bean id=3D"serviceB=
ean" class=3D"org.apache.cxf.systest.jaxr=
s.security.BookStore"/>
<bean id=3D"xmlSigHa=
ndler" class=3D"org.apache.cxf.rs.securit=
y.xml.XmlSigInHandler"/>

<bean id=3D"xmlEncHa=
ndler" class=3D"org.apache.cxf.rs.securit=
y.xml.XmlEncInHandler"/>
   =20
<bean id=3D"xmlEncOu=
tHandler" class=3D"org.apache.cxf.rs.secu=
rity.xml.XmlEncOutInterceptor">
        <property name=3D"symmetricEncAlgorithm" value=3D"aes=
128-cbc"/>
</bean>

<jaxrs:server address=3D"/xmlsig">=20
    <jaxrs:serviceBeans>
      <ref bean=3D"s=
erviceBean"/>
    </jaxrs:serviceBeans>
    <jaxrs:providers>
       <ref bean=3D"=
xmlEncHandler"/>
       <ref bean=3D"=
xmlSigHandler"/>
    </jaxrs:providers>=20
    <jaxrs:outInterceptors>
        <ref bean=3D=
"xmlEncOutHandler"/>
     </jaxrs:outInterceptors>
     <jaxrs:properties>
         <entry key=3D"ws-security.callback-h=
andler"=20
                  value=3D"org.apache.cxf.systes=
t.jaxrs.security.saml.KeystorePasswordCallback"/>
         <entry key=3D"ws-security.encryption=
.properties"=20
                  value=3D"org/apache/cxf/systes=
t/jaxrs/security/bob.properties"/>
     </jaxrs:properties>=20
</jaxrs:server>

Note the addition of a bean with id "xmlEncOutHandler", this example als= o shows that the encryption properties can be used to validate the incoming= signature as well which just simplifies the configuration a bit. Now the c= lient code can be updated to expect an ecryped Book back:

String address =3D "https://localhost:8080/xmlencryption/bo=
okstore/books";
JAXRSClientFactoryBean bean =3D new JAXRSClientFactoryBean();
bean.setAddress(address);

// setup properties
Map<String, Object> properties =3D new=
 HashMap<String, Object>();

properties.put("ws-security.callback-handler",=20
               "org.apache.cxf.systest.jaxrs.sec=
urity.saml.KeystorePasswordCallback");
properties.put("ws-security.encryption.username"=
, "bob");
properties.put("ws-security.encryption.propertie=
s",=20
                       "org/apache/cxf/systest/j=
axrs/security/bob.properties");

bean.setProperties(properties);

// if sign=
ature required: add the interceptor dealing with adding a signature
XmlSigOutInterceptor sigInterceptor =3D new XmlSigOutInterceptor();
bean.getOutInterceptors().add(sigInterceptor);

// add the interceptor dealing with the encryp=
tion

XmlEncOutInterceptor encInterceptor =3D new XmlEncOutInterceptor();
encInterceptor.setSymmetricEncAlgorithm("http://www.w3.org/2001/04/xmlenc#aes128-cbc");
bean.getOutInterceptors().add(encInterceptor);

      =20
// use WebClient (or proxy) as usual
WebClient wc =3D bean.createWebClient();
Book book =3D wc.post(new Book("CXF", 126L), Book.class);
assertEquals("CXF", book.getName());
=20

Customizing = the encryption

org.apache.cxf.rs.security.xml.XmlEncOutInterceptor manages the encrypti= on process.
The following properties can be set on it at the moment:
"symmetricEncAlgorithm": default is "http://www.w3.org/2001/04/xmlenc#aes25= 6-cbc", complete URIs or short identifiers are supported, for example,
"aes128-cbc" or "http://www.w3.org/2001/04/xmlenc#= aes256-cbc".
"keyEncAlgorithm": default is "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mg= f1p"
"keyIdentifierType": default is "X509_KEY", "X509_ISSUER_SERIAL" is also su= pported - useful when the whole x509Certificate should not be embedded